[PATCH] D40478: Added Instrument Control Flow Flag

Oren Ben Simhon via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Tue Dec 12 03:16:04 PST 2017


oren_ben_simhon added inline comments.


================
Comment at: include/clang/Driver/Options.td:1035
   HelpText<"Instrument function entry only, after inlining, without arguments to the instrumentation call">;
-
+def finstrument_control_flow : Flag<["-"], "finstrument-control-flow">,
+  Group<f_Group>, Flags<[CC1Option]>,
----------------
pcc wrote:
> oren_ben_simhon wrote:
> > pcc wrote:
> > > My comments about the attribute name in D40482 also apply to this flag name. GCC appears to have chosen a better name for this flag, `-mcet`. Can we use that name instead?
> > Again, I am sorry for the late response, I was off for about a week.
> > GCC is only using -mcet as a super set for -mibt and -mshstk. I am planning to add it in a different review.
> > -mcet/-mibt/-mshstk only enables the HW technology (ISA/Intrinsics).
> > GCC is using -cf-protection for actually instrumenting the control flow.
> > I think it will be best to stay coherent with GCC (and ICC and soon MS) and use -cf-protection.
> > What do you think?
> I see. As far as I can tell, there are no released versions of GCC and ICC with the new flags, so I think there is still a possibility to change them. (MS is a different story, their flags are incompatible anyway.)
> 
> I took a closer look at what GCC does, and here are my thoughts:
> - As far as I can tell, IBT does not introduce any new instructions other than ENDBRANCH, and it doesn't seem to make sense for ENDBRANCH to be exposed via intrinsics (but rather via attributes, as you have done). That means that `-mibt` basically does nothing except for allowing the use of `-fcf-protection`.
> - SHSTK introduces ISA extensions that seem reasonable to expose via intrinsics, so it would probably be fine to have a `-mshstk` flag that enables the intrinsics.
> - In GCC, `-fcf-protection` means "emit code that is compatible with CET" and requires that the user pass `-mibt` or `-mshstk`. But the code that it emits is also compatible with non-CET processors, so it doesn't make sense to me to require the use of flags such as `-mshstk` which imply that SHSTK is required.
> 
> As for the name of the flag: there is nothing about the name `-fcf-protection` that implies hardware-based protection, so the presence of this flag could confuse users who want software-based protection. The hardware-based protection is sort of implied by the requirement to pass `-mibt` or `-mshstk`, but that is a little awkward, and I don't think it makes sense either for the reasons I mentioned. What we want is a clear way to say "I want to generate code that is compatible with (but does not require) this hardware feature", but there doesn't seem to be any precedent for how to express that. The most straightforward way to express it is to mention the name of the hardware feature in the flag.
> 
> So here are the changes that I would propose across compilers:
> - Remove the `-mibt` flag.
> - Change the flag that emits ENDBRANCH to something like `-mcet-compatible` and stop requiring the use of other flags.
> Please let me know what you think.
It is true that -mibt doesn't enable intrinsics however it is required for the case of inline asm.
The code that -cf-protection produce is not always compatible with non-CET processors.
For example, consider the required fix to the shadow stack in the case of setJmp/longJmp. 
In that case, we need to use SHSTK instructions (like incssp) that are not compatible.
Would the flag -fcf-arch-protection make more sense (as it implies on HW support)?


Repository:
  rL LLVM

https://reviews.llvm.org/D40478





More information about the llvm-commits mailing list